{"id":"CVE-2025-0108","details":"An authentication bypass in the Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to bypass the authentication otherwise required by the PAN-OS management web interface and invoke certain PHP scripts. While invoking these PHP scripts does not enable remote code execution, it can negatively impact integrity and confidentiality of PAN-OS.\n\nYou can greatly reduce the risk of this issue by restricting access to the management web interface to only trusted internal IP addresses according to our recommended  best practices deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .\n\nThis issue does not affect Cloud NGFW or Prisma Access software.","modified":"2026-05-04T08:48:52.282171Z","published":"2025-02-12T21:15:16.290Z","withdrawn":"2026-05-04T08:48:52.282171Z","references":[{"type":"WEB","url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-0108"},{"type":"ADVISORY","url":"https://www.theregister.com/2025/02/19/palo_alto_firewall_attack/"},{"type":"ADVISORY","url":"https://www.bleepingcomputer.com/news/security/palo-alto-networks-tags-new-firewall-bug-as-exploited-in-attacks/"},{"type":"ADVISORY","url":"https://www.darkreading.com/remote-workforce/patch-now-cisa-researchers-warn-palo-alto-flaw-exploited-wild"},{"type":"ADVISORY","url":"https://www.securityweek.com/palo-alto-networks-confirms-exploitation-of-firewall-vulnerability/"},{"type":"EVIDENCE","url":"https://security.paloaltonetworks.com/CVE-2025-0108"},{"type":"EVIDENCE","url":"https://github.com/iSee857/CVE-2025-0108-PoC"},{"type":"EVIDENCE","url":"https://slcyber.io/blog/nginx-apache-path-confusion-to-auth-bypass-in-pan-os/"}],"affected":[{"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-0108.json","unresolved_ranges":[{"events":[{"introduced":"10.1.0"},{"fixed":"10.1.14"}]},{"events":[{"introduced":"10.2.0"},{"fixed":"10.2.7"}]},{"events":[{"introduced":"11.1.0"},{"fixed":"11.1.2"}]},{"events":[{"introduced":"11.2.0"},{"fixed":"11.2.4"}]},{"events":[{"introduced":"0"},{"last_affected":"10.1.14-NA"}]},{"events":[{"introduced":"0"},{"last_affected":"10.1.14-h1"}]},{"events":[{"introduced":"0"},{"last_affected":"10.1.14-h2"}]},{"events":[{"introduced":"0"},{"last_affected":"10.1.14-h3"}]},{"events":[{"introduced":"0"},{"last_affected":"10.1.14-h4"}]},{"events":[{"introduced":"0"},{"last_affected":"10.1.14-h5"}]},{"events":[{"introduced":"0"},{"last_affected":"10.1.14-h6"}]},{"events":[{"introduced":"0"},{"last_affected":"10.1.14-h7"}]},{"events":[{"introduced":"0"},{"last_affected":"10.1.14-h8"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.7-NA"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.7-h1"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.7-h10"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.7-h11"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.7-h12"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.7-h13"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.7-h14"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.7-h15"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.7-h16"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.7-h17"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.7-h18"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.7-h19"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.7-h2"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.7-h20"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.7-h21"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.7-h22"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.7-h23"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.7-h3"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.7-h4"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.7-h5"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.7-h6"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.7-h7"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.7-h8"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.7-h9"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.8-NA"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.8-h1"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.8-h10"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.8-h11"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.8-h12"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.8-h13"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.8-h14"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.8-h15"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.8-h16"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.8-h17"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.8-h18"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.8-h19"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.8-h2"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.8-h20"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.8-h3"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.8-h4"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.8-h5"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.8-h6"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.8-h7"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.8-h8"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.8-h9"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.9-NA"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.9-h1"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.9-h11"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.9-h12"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.9-h13"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.9-h14"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.9-h15"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.9-h16"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.9-h17"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.9-h18"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.9-h19"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.9-h2"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.9-h20"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.9-h3"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.9-h4"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.9-h5"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.9-h6"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.9-h7"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.9-h8"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.9-h9"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.10-NA"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.10-h1"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.10-h10"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.10-h11"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.10-h12"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.10-h13"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.10-h2"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.10-h3"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.10-h4"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.10-h5"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.10-h6"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.10-h7"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.10-h8"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.10-h9"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.11-NA"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.11-h1"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.11-h10"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.11-h11"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.11-h2"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.11-h3"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.11-h4"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.11-h5"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.11-h6"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.11-h7"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.11-h8"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.11-h9"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.12-NA"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.12-h1"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.12-h2"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.12-h3"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.12-h4"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.12-h5"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.13-NA"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.13-h1"}]},{"events":[{"introduced":"0"},{"last_affected":"10.2.13-h2"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.2-NA"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.2-h1"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.2-h10"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.2-h11"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.2-h12"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.2-h13"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.2-h14"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.2-h15"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.2-h16"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.2-h17"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.2-h2"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.2-h3"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.2-h4"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.2-h5"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.2-h6"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.2-h7"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.2-h8"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.2-h9"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.3"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.4-NA"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.4-h1"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.4-h10"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.4-h11"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.4-h12"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.4-h2"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.4-h3"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.4-h4"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.4-h5"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.4-h6"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.4-h7"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.4-h8"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.4-h9"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.5"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.6-NA"}]},{"events":[{"introduced":"0"},{"last_affected":"11.2.4-NA"}]},{"events":[{"introduced":"0"},{"last_affected":"11.2.4-h1"}]},{"events":[{"introduced":"0"},{"last_affected":"11.2.4-h2"}]},{"events":[{"introduced":"0"},{"last_affected":"11.2.4-h3"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}]}